CVE-2020-36998

MEDIUM

Forma.lms The E-Learning Suite 2.3.0.2 - XSS

Title source: llm

Description

Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization.

Exploits (1)

exploitdb WRITEUP

by Daniel Ortiz · textwebappsphp

https://www.exploit-db.com/exploits/48478

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/48478

[Product] https://sourceforge.net/projects/forma/

[Product] https://sourceforge.net/projects/forma/files/latest/download

[Third Party Advisory] https://www.vulncheck.com/advisories/formalms-the-e-learning-suite-persistent-cross-site-scripting

Scores

CVSS v3 6.4

EPSS 0.0004

EPSS Percentile 13.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published Jan 30, 2026

Tracked Since Feb 18, 2026